fantom | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1800s
max time network
1799s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

fantom xworm evasion execution persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>UkSn5JhwltTW7/OPcRg/aMOmqqPL/vlg6vEwiwaUSOc7U2lAij3mOC/5AbeBvEJ3awn3j0dEoezBw5IBfIxjBn7GrLPnMVGWw73SO4dnybZhzIPiK0KloXx1fqJVfqHp9O0nuW4CgX0tGEYTYLHGpJwZTCZQW4K2XLakvoLYUWHjbaOCqQo0S7QXIWiAA83ekou43M/cVOcO4cE+bnvJlm8F09cHQM5dldRuhHXx7OnWlvZKDv63/AXkBzDQ8Bnl+OAuPIXV7cewMewZCtsYnsSUacj96m+bRrs2mMIg+dBLQTxZSoGLTFSBCgyMcyO3Vy8SNUBbOqjqbOiFH49pgA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Detect Xworm Payload 25 IoCs

resource	yara_rule
behavioral1/memory/888-1-0x0000000000340000-0x0000000000356000-memory.dmp	family_xworm
behavioral1/files/0x000e0000000144fb-34.dat	family_xworm
behavioral1/memory/2344-36-0x00000000011D0000-0x00000000011E6000-memory.dmp	family_xworm
behavioral1/memory/1696-39-0x0000000000180000-0x0000000000196000-memory.dmp	family_xworm
behavioral1/memory/3024-42-0x0000000001360000-0x0000000001376000-memory.dmp	family_xworm
behavioral1/memory/1712-46-0x00000000003E0000-0x00000000003F6000-memory.dmp	family_xworm
behavioral1/memory/1560-48-0x0000000000160000-0x0000000000176000-memory.dmp	family_xworm
behavioral1/memory/2996-50-0x0000000000DF0000-0x0000000000E06000-memory.dmp	family_xworm
behavioral1/memory/1040-52-0x00000000000A0000-0x00000000000B6000-memory.dmp	family_xworm
behavioral1/memory/1352-54-0x0000000000850000-0x0000000000866000-memory.dmp	family_xworm
behavioral1/memory/924-56-0x0000000000990000-0x00000000009A6000-memory.dmp	family_xworm
behavioral1/memory/2276-58-0x00000000001A0000-0x00000000001B6000-memory.dmp	family_xworm
behavioral1/memory/2556-507-0x0000000001060000-0x0000000001076000-memory.dmp	family_xworm
behavioral1/memory/2968-942-0x0000000001270000-0x0000000001286000-memory.dmp	family_xworm
behavioral1/memory/996-944-0x0000000001340000-0x0000000001356000-memory.dmp	family_xworm
behavioral1/memory/1552-947-0x00000000000D0000-0x00000000000E6000-memory.dmp	family_xworm
behavioral1/memory/872-949-0x0000000000820000-0x0000000000836000-memory.dmp	family_xworm
behavioral1/memory/2136-951-0x0000000000E30000-0x0000000000E46000-memory.dmp	family_xworm
behavioral1/memory/1204-955-0x0000000000210000-0x0000000000226000-memory.dmp	family_xworm
behavioral1/memory/2952-957-0x0000000000D80000-0x0000000000D96000-memory.dmp	family_xworm
behavioral1/memory/3012-1249-0x0000000001160000-0x0000000001176000-memory.dmp	family_xworm
behavioral1/memory/2620-1251-0x00000000001E0000-0x00000000001F6000-memory.dmp	family_xworm
behavioral1/memory/2028-1382-0x0000000000D20000-0x0000000000D36000-memory.dmp	family_xworm
behavioral1/memory/1892-8724-0x00000000013D0000-0x00000000013E6000-memory.dmp	family_xworm
behavioral1/memory/2480-15131-0x0000000000200000-0x0000000000216000-memory.dmp	family_xworm

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Renames multiple (3048) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2556	powershell.exe
2856	powershell.exe
2564	powershell.exe
2476	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	nidvdy.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 34 IoCs

pid	Process
2344	svhost.exe
1696	svhost.exe
1232	svhost.exe
3024	svhost.exe
1600	svhost.exe
1980	svhost.exe
1712	svhost.exe
1560	svhost.exe
2996	svhost.exe
1040	svhost.exe
1352	svhost.exe
924	svhost.exe
2276	svhost.exe
2556	svhost.exe
2968	svhost.exe
996	svhost.exe
2840	svhost.exe
1552	svhost.exe
872	svhost.exe
2136	svhost.exe
2656	svhost.exe
1204	svhost.exe
2952	svhost.exe
2604	svhost.exe
1704	svhost.exe
2988	rfbazs.exe
3012	svhost.exe
2620	svhost.exe
2636	nidvdy.exe
2028	svhost.exe
428	WindowsUpdate.exe
1892	svhost.exe
3024	fatalerror.exe
2480	svhost.exe

Loads dropped DLL 16 IoCs

pid	Process
2988	rfbazs.exe
2988	rfbazs.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
524	MsiExec.exe
2428	MsiExec.exe
524	MsiExec.exe
2988	rfbazs.exe
524	MsiExec.exe
2636	nidvdy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
27	524	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	rfbazs.exe
File opened (read-only)	\??\E:	rfbazs.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	rfbazs.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	rfbazs.exe
File opened (read-only)	\??\J:	rfbazs.exe
File opened (read-only)	\??\Y:	rfbazs.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	rfbazs.exe
File opened (read-only)	\??\K:	rfbazs.exe
File opened (read-only)	\??\M:	rfbazs.exe
File opened (read-only)	\??\T:	rfbazs.exe
File opened (read-only)	\??\X:	rfbazs.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	rfbazs.exe
File opened (read-only)	\??\Z:	rfbazs.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	rfbazs.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	rfbazs.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	rfbazs.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	rfbazs.exe
File opened (read-only)	\??\B:	rfbazs.exe
File opened (read-only)	\??\W:	rfbazs.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	rfbazs.exe
File opened (read-only)	\??\V:	rfbazs.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	rfbazs.exe
File opened (read-only)	\??\O:	rfbazs.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mpio.inf_amd64_neutral_0c74c0f95001b61c\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\sysprep\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\license.rtf	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\winrm\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\WindowsSearchEngine-DL.man	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\srm-quotadriver-repl.man	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_neutral_bf4b404852955eb4\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Enterprise\license.rtf	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_troubleshooting.help.txt	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.xml	nidvdy.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-ODBCLogging-Deployment-DL.man	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\audiommecore-other-migration-replacement.man	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0014\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc7100t.xml	nidvdy.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0003\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\winrm\0407\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_methods.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_aliases.help.txt	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Enterprise\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C0.log	nidvdy.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Starter\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\license.rtf	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\faxcn001.inf_amd64_neutral_d23021a1eb548156\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml	nidvdy.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\license.rtf	nidvdy.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4400t.xml	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\TerminalServices-Drivers-DL.man	nidvdy.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001d\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_split.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\authui-migration-replacement.man	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk7100t.xml	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	nidvdy.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\System32\LogFiles\Firewall\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\ServerCore-EA-IME-WOW64-RM.man	nidvdy.exe
File created	C:\Windows\SysWOW64\Setup\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt	nidvdy.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\DECRYPT_YOUR_FILES.HTML	nidvdy.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif	nidvdy.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\slideShow.css	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-windows.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png	nidvdy.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	nidvdy.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	nidvdy.exe
File created	C:\Program Files\Common Files\System\ado\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	nidvdy.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml	nidvdy.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\currency.js	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	nidvdy.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	nidvdy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml	nidvdy.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js	nidvdy.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml	nidvdy.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	nidvdy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml	nidvdy.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	nidvdy.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	nidvdy.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv	nidvdy.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ja-JP\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	nidvdy.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_agp.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6455761a23a35ead\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_ksfilter.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7923f6aad177696f\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..ng-common.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b3c2623896eb46ad\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_7c6c058f3c03e7a2\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ec7b56669f624a73\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-moricons_31bf3856ad364e35_6.1.7600.16385_none_410fda20fe51f655\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_20ab2674ee3de60d\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0416\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\schemas\AvailableNetwork\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-desktop-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1bef73fd1d1dce36\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_60c037f1366449f2\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_68bfa622c568dbc2\Report.System.Network.xml	nidvdy.exe
File created	C:\Windows\inf\RemoteAccess\0000\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\Mup-DL.man	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netcfg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c2b8bae9f83db44d\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_ja_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-cbva.resources_31bf3856ad364e35_6.1.7600.16385_es-es_965a2776069946ce\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ndiscap.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7c266127b4fabec6\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010405_31bf3856ad364e35_6.1.7601.17514_none_ea4c8a7b6c447320\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..n-playapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c11c083c2c64217\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\9fa0c0ee9093a5f1aaabffb101332056\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\settings.css	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-diskcln.resources_31bf3856ad364e35_6.1.7600.16385_es-es_150f921fdd6424e9\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7601.17514_none_fdf0304032171a90\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f690a24db584a4bb\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mountvol.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_81ea4258d1c53617\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..i-prnfldr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_14f1bcb608757808\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCFxCommon\98b1fc37038b59eb1fcb89ce6284190e\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6daa7bd08415f83f\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\settings.js	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4c0c1166b40a064d\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_types.ps1xml.help.txt	nidvdy.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\Microsoft.NET\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..nager-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_abba0ea167743612\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-feedback-service_31bf3856ad364e35_6.1.7600.16385_none_d5c0e508aa96a650\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appwiz.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bb51efa0e59e628d\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskmanagement_31bf3856ad364e35_6.1.7600.16385_none_5d8ca75e896e4607\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_de-de_43b359310906c525\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28591_31bf3856ad364e35_6.1.7600.16385_none_b1935018fdae5da6\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_fr_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\inf\ASP.NET\0012\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Report.System.Network.xml	nidvdy.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\6.1.0.0_it_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\PLA\Rules\Rules.System.Performance.xml	nidvdy.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf	nidvdy.exe
File created	C:\Windows\winsxs\amd64_mdmvv.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e0b2170bb5d8d1c\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b39bb2bcd16171bb\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7080f5eb25bfe21e\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a60bb2c99a8ac4c1\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Notes_LOOP_BG_PAL.wmv	nidvdy.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\diagnostics\system\PCW\it-IT\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\001D\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\Media\Calligraphy\Windows Logon Sound.wav	nidvdy.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\de-DE\DECRYPT_YOUR_FILES.HTML	nidvdy.exe
File created	C:\Windows\servicing\Sessions\31112276_709722304.xml	nidvdy.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..type-franklingothic_31bf3856ad364e35_6.1.7600.16385_none_e64fc709d20b9685\DECRYPT_YOUR_FILES.HTML	nidvdy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\ = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000008020dbcca46626e69de7984ae1aa7c5592d5dd665037afb3a7f77b46ea3477a000000000e8000000002000020000000b42500b32eaf559edd5da3340035ad456f55ab884b4cd2fe8cca27a91d8512ae900000001e2e632b3e6c3b071e2bece48f651d0ce7741882937ff087299c6897311eabe2e527aa791c4069d1c95eda0c3ab63ce75d6509c81ded1d80b4210e8b4b672eb23fed11f71d8563323b05c469b0f5485212a13db58e75f2e4dd67d153ce79b8297d6b3eba3b63596f1bb69984aa060a735a39032525d02acf6d268def50531175411f0798cbc1218d6e7540f51f3acbbb40000000b199b03d472952d0306331d68e8853a1d9a08f922d42bb2c8da1a3d4ddc7c2522131f4f93054c058583c283028b01f557cdbb5d3d8e6e4ad042fb07b73dfd8df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF3D4401-378F-11EF-B1C8-E6415F422194} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	fatalerror.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0280fb49ccbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	fatalerror.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000000e9e6eadf6b72b28091f1f10e2960219c8c3138ea030f3702a65a2824078ddc9000000000e8000000002000020000000ca5f99e2babe927181a03fb81a0a33a09d323a04d63a9802f28ba58909c9d4f520000000765c26fd28f59e950caf5260abaf4bd2c5a2d45c584cae8c2debd9761819c99f40000000713f7a4b49f9977c8cef21c386e8fb088cbac05aa9705fbf77ecfb34f804d15364daa105d489e95ca5ca268658a949a481d2fcd165a4bf15a70239b8da59bc70	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425989521"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\Total = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	fatalerror.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2556	powershell.exe
2856	powershell.exe
2564	powershell.exe
2476	powershell.exe
2816	msiexec.exe
2816	msiexec.exe
2636	nidvdy.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	sv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	sv.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	888	sv.exe
Token: SeDebugPrivilege	2344	svhost.exe
Token: SeDebugPrivilege	1696	svhost.exe
Token: SeDebugPrivilege	1232	svhost.exe
Token: SeDebugPrivilege	3024	svhost.exe
Token: SeDebugPrivilege	1600	svhost.exe
Token: SeDebugPrivilege	1980	svhost.exe
Token: SeDebugPrivilege	1712	svhost.exe
Token: SeDebugPrivilege	1560	svhost.exe
Token: SeDebugPrivilege	2996	svhost.exe
Token: SeDebugPrivilege	1040	svhost.exe
Token: SeDebugPrivilege	1352	svhost.exe
Token: SeDebugPrivilege	924	svhost.exe
Token: SeDebugPrivilege	2276	svhost.exe
Token: SeDebugPrivilege	2556	svhost.exe
Token: SeDebugPrivilege	2968	svhost.exe
Token: SeDebugPrivilege	996	svhost.exe
Token: SeDebugPrivilege	2840	svhost.exe
Token: SeDebugPrivilege	1552	svhost.exe
Token: SeDebugPrivilege	872	svhost.exe
Token: SeDebugPrivilege	2136	svhost.exe
Token: SeDebugPrivilege	2656	svhost.exe
Token: SeDebugPrivilege	1204	svhost.exe
Token: SeDebugPrivilege	2952	svhost.exe
Token: SeDebugPrivilege	2604	svhost.exe
Token: SeDebugPrivilege	1704	svhost.exe
Token: SeRestorePrivilege	2816	msiexec.exe
Token: SeTakeOwnershipPrivilege	2816	msiexec.exe
Token: SeSecurityPrivilege	2816	msiexec.exe
Token: SeCreateTokenPrivilege	2988	rfbazs.exe
Token: SeAssignPrimaryTokenPrivilege	2988	rfbazs.exe
Token: SeLockMemoryPrivilege	2988	rfbazs.exe
Token: SeIncreaseQuotaPrivilege	2988	rfbazs.exe
Token: SeMachineAccountPrivilege	2988	rfbazs.exe
Token: SeTcbPrivilege	2988	rfbazs.exe
Token: SeSecurityPrivilege	2988	rfbazs.exe
Token: SeTakeOwnershipPrivilege	2988	rfbazs.exe
Token: SeLoadDriverPrivilege	2988	rfbazs.exe
Token: SeSystemProfilePrivilege	2988	rfbazs.exe
Token: SeSystemtimePrivilege	2988	rfbazs.exe
Token: SeProfSingleProcessPrivilege	2988	rfbazs.exe
Token: SeIncBasePriorityPrivilege	2988	rfbazs.exe
Token: SeCreatePagefilePrivilege	2988	rfbazs.exe
Token: SeCreatePermanentPrivilege	2988	rfbazs.exe
Token: SeBackupPrivilege	2988	rfbazs.exe
Token: SeRestorePrivilege	2988	rfbazs.exe
Token: SeShutdownPrivilege	2988	rfbazs.exe
Token: SeDebugPrivilege	2988	rfbazs.exe
Token: SeAuditPrivilege	2988	rfbazs.exe
Token: SeSystemEnvironmentPrivilege	2988	rfbazs.exe
Token: SeChangeNotifyPrivilege	2988	rfbazs.exe
Token: SeRemoteShutdownPrivilege	2988	rfbazs.exe
Token: SeUndockPrivilege	2988	rfbazs.exe
Token: SeSyncAgentPrivilege	2988	rfbazs.exe
Token: SeEnableDelegationPrivilege	2988	rfbazs.exe
Token: SeManageVolumePrivilege	2988	rfbazs.exe
Token: SeImpersonatePrivilege	2988	rfbazs.exe
Token: SeCreateGlobalPrivilege	2988	rfbazs.exe
Token: SeShutdownPrivilege	2740	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2288	iexplore.exe
2740	msiexec.exe
2740	msiexec.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2288	iexplore.exe
2288	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
3024	fatalerror.exe
3024	fatalerror.exe
3024	fatalerror.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2556	888	sv.exe	28
PID 888 wrote to memory of 2556	888	sv.exe	28
PID 888 wrote to memory of 2556	888	sv.exe	28
PID 888 wrote to memory of 2856	888	sv.exe	30
PID 888 wrote to memory of 2856	888	sv.exe	30
PID 888 wrote to memory of 2856	888	sv.exe	30
PID 888 wrote to memory of 2564	888	sv.exe	32
PID 888 wrote to memory of 2564	888	sv.exe	32
PID 888 wrote to memory of 2564	888	sv.exe	32
PID 888 wrote to memory of 2476	888	sv.exe	34
PID 888 wrote to memory of 2476	888	sv.exe	34
PID 888 wrote to memory of 2476	888	sv.exe	34
PID 888 wrote to memory of 2180	888	sv.exe	36
PID 888 wrote to memory of 2180	888	sv.exe	36
PID 888 wrote to memory of 2180	888	sv.exe	36
PID 2372 wrote to memory of 2344	2372	taskeng.exe	40
PID 2372 wrote to memory of 2344	2372	taskeng.exe	40
PID 2372 wrote to memory of 2344	2372	taskeng.exe	40
PID 2372 wrote to memory of 1696	2372	taskeng.exe	43
PID 2372 wrote to memory of 1696	2372	taskeng.exe	43
PID 2372 wrote to memory of 1696	2372	taskeng.exe	43
PID 2372 wrote to memory of 1232	2372	taskeng.exe	44
PID 2372 wrote to memory of 1232	2372	taskeng.exe	44
PID 2372 wrote to memory of 1232	2372	taskeng.exe	44
PID 2372 wrote to memory of 3024	2372	taskeng.exe	45
PID 2372 wrote to memory of 3024	2372	taskeng.exe	45
PID 2372 wrote to memory of 3024	2372	taskeng.exe	45
PID 2372 wrote to memory of 1600	2372	taskeng.exe	46
PID 2372 wrote to memory of 1600	2372	taskeng.exe	46
PID 2372 wrote to memory of 1600	2372	taskeng.exe	46
PID 2372 wrote to memory of 1980	2372	taskeng.exe	47
PID 2372 wrote to memory of 1980	2372	taskeng.exe	47
PID 2372 wrote to memory of 1980	2372	taskeng.exe	47
PID 2372 wrote to memory of 1712	2372	taskeng.exe	48
PID 2372 wrote to memory of 1712	2372	taskeng.exe	48
PID 2372 wrote to memory of 1712	2372	taskeng.exe	48
PID 2372 wrote to memory of 1560	2372	taskeng.exe	49
PID 2372 wrote to memory of 1560	2372	taskeng.exe	49
PID 2372 wrote to memory of 1560	2372	taskeng.exe	49
PID 2372 wrote to memory of 2996	2372	taskeng.exe	50
PID 2372 wrote to memory of 2996	2372	taskeng.exe	50
PID 2372 wrote to memory of 2996	2372	taskeng.exe	50
PID 2372 wrote to memory of 1040	2372	taskeng.exe	51
PID 2372 wrote to memory of 1040	2372	taskeng.exe	51
PID 2372 wrote to memory of 1040	2372	taskeng.exe	51
PID 2372 wrote to memory of 1352	2372	taskeng.exe	52
PID 2372 wrote to memory of 1352	2372	taskeng.exe	52
PID 2372 wrote to memory of 1352	2372	taskeng.exe	52
PID 2372 wrote to memory of 924	2372	taskeng.exe	53
PID 2372 wrote to memory of 924	2372	taskeng.exe	53
PID 2372 wrote to memory of 924	2372	taskeng.exe	53
PID 2372 wrote to memory of 2276	2372	taskeng.exe	54
PID 2372 wrote to memory of 2276	2372	taskeng.exe	54
PID 2372 wrote to memory of 2276	2372	taskeng.exe	54
PID 888 wrote to memory of 2288	888	sv.exe	55
PID 888 wrote to memory of 2288	888	sv.exe	55
PID 888 wrote to memory of 2288	888	sv.exe	55
PID 2288 wrote to memory of 1964	2288	iexplore.exe	57
PID 2288 wrote to memory of 1964	2288	iexplore.exe	57
PID 2288 wrote to memory of 1964	2288	iexplore.exe	57
PID 2288 wrote to memory of 1964	2288	iexplore.exe	57
PID 2372 wrote to memory of 2556	2372	taskeng.exe	59
PID 2372 wrote to memory of 2556	2372	taskeng.exe	59
PID 2372 wrote to memory of 2556	2372	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2180
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://exmple.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\rfbazs.exe
  "C:\Users\Admin\AppData\Local\Temp\rfbazs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rfbazs.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\nidvdy.exe
  "C:\Users\Admin\AppData\Local\Temp\nidvdy.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:428

C:\Windows\system32\taskeng.exe
taskeng.exe {832073A3-EDDE-43DA-9B13-4B89AA296DA9} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
  "C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCD9B66E85E11538059163DDA117D9A4
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:524
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96CF125F5E32B2533C8FD0F30EC427AC M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f8ca375.rbs

Filesize
99KB

MD5
24d26096bdebbeec6f3f35ffe7610b9b

SHA1
a0b647c9a3aac81fe497af3effb1348013e988d4

SHA256
9b8aadc83299aaa73755c99a7150c7446f52e3bd272e331ac65cc8b82cfa07bb

SHA512
67ab44f1933f6d7bbda6dda4b8989cdca2626c285315bcbeb81b5974de2bcda76b491d2b98f423a4c9d4596d64bcb429feffb6f2fed28991e5ff1f0b64049905

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
72098e24166d9824af663d230c435629

SHA1
477cba411fe64de5bbcda2329c980a0bb3944e3c

SHA256
b41ac2982cfb79c3716bfbd5d23d1a99c099038b7805b16ba5162406a71fca10

SHA512
85c80b3188ecff7d64f79bafb43517acc961db6a71bca3885bae54514fd6f784881656ec55c98132a9d499f59c5b61f63a95f003a196cf25c05c687d55b5d635

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
6e1bf9705ee4c0e06a2bc3090be2aca9

SHA1
856d43ddfeaecd3bad22c802a28496823a264edf

SHA256
9dfad1796b2c23bbeb88ea011cd25fe102a082ba55a13dda0f69b1c130162a71

SHA512
d91f93c8c20fb7c4db882d6fcee57552cb9612a1f8546413ee05eabc5598b294cb2a54cd3ccdac61b34e7f7870b83f8203470dfb5d7231e20df66ee7c7b9a01b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
6deb171b282a759b2f3d5fc3e085a895

SHA1
be428f3e82b28b59c906a32e298eefc890aafdb1

SHA256
71d62444c026a4e0f006d614352c5981c8338b51a24a62c41ab781daf4d343db

SHA512
c845e725a853975ac3e6659db3f27524c3c37a8fd4d784aefdd28fc7b1f0f3b46ac7d7e4bd049d194b57e93deacd3a56cdc25e20d9242cc0c47948126fe97d3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
bde18b2336571b341ecee78886eac7cf

SHA1
bc162b2515c8d1554e2c1a8fbd8c876987bd953a

SHA256
eb3a3286ba5aa8694095200441d1086554cebdaac30fb5fb5abd8246aa63f2f8

SHA512
d55e419a1632968cb7f8797c202419ac978a58df44140e154d1cfabe84befa5263887cd0c50c6762dd8c96c36e7b7d34bd118f6c3efffd240cc793938e3a0d18

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
cb8b7c132edf953ee2b2b2c869de547c

SHA1
900aa1f854b682d22271673de422a97982d3c984

SHA256
12a9ef70c2d78887e37f680785fdc28c4e69ebbbc04f84d88f85253e8200b6bb

SHA512
cc0e4720acfd77d25b83c1942c53caa45bc87211eea9331025fee51ec6eeeb4e9e8baf1aac9314b8573320ff4d9d880fcd12b80d2b2f085aba198ffec8b37b2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
567f5accf3e81c8e53145e56acd7f8ca

SHA1
766b726b247256a3eb5f1a2166cfe427232ba0c1

SHA256
44d6e19e410ec6f3427315d6b869595447dbb36bd49853715830d73dc41cc91c

SHA512
0f491e1c87523aca7c31ee238c436151e9efd5bddbfa91f661c05248cb5f4bd979fd268319b7c5b419a11c5b739334ee0059af1deabadb55c2dbb82c8c9811b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
c13b78356f1821c0797c816228303821

SHA1
7e8c5c69e41115b6d35deb0f84c1a70dd6645fe2

SHA256
3e3720645bad45133c1f7c0e6322bc5161865f3ea453effc4e3786d04b1401ce

SHA512
612fc17f17c55c0c04913dad8b7aee87bf6bba2f56600b911dd19295bfe503589a0e5245dc0f97b56fa36408df7ab9fdcf3ad360652aa3d95d280c197bf08d00

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
09fa50005c6964ed946722c638c8fe9d

SHA1
e2148c6b399aee1d0822e82b0abd1f22b34d505e

SHA256
04a50a8893a5f2c6422846608bfe3811f4cfca546ac3e8713fb39ce2a0947d94

SHA512
1bb36031fddbcef8d2716c84b1ec3491545357efae03584c2393dad9bee7457b35787f954f69be00e2d3b5cdfbcd3b2c311cbc10e4c354a96e4dc7b1af291bee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
2b03c8f227b61a36d612c0de906304f7

SHA1
984b6d954b524fafda70b622a58e8b87dd4982ac

SHA256
0016f644c1ca5a055ae70dd17116e3c029a11eb0a129b69be3fe197b39586bdb

SHA512
c98cdddc7a1f6266478d056c9ca957fbaf9f4cf03e55ac82f363975bdd9f8a5374a469098e835d49894faefbe6eabda34388aa33831b6a37baac6c253e1a7888

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
345b2a1b1013b1b01177950b1b095c97

SHA1
ab02be53845bb4b30425ea1f09dae703ef3b58b3

SHA256
a5ab790d1f891789ab99967f32580326e4fa672c46e344ab4e3a7d529735abd7

SHA512
a60a69505e5f07824de1b814327f68e59a14cd63ab51f5fe3b6d417624b22004f6cc11c56f8fcfd0318fdc2a9e436e7fbac9676b21a06c50d6a13aa691c8ac2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
8497cab875ad0157535aae2d3fb4f459

SHA1
9601ebe269a8de25a1dce46343f41aa4ed244258

SHA256
c44016fe7264b0596d861b154bb4c5b05fbe3bb6272ddcb115b675a128e2de4f

SHA512
1fc9263c548cf0856814eb2544b6e5a3c4cd8e7cf5948868c2a958bcc4f3d3404ce3dfad9b16df464c9f9942534eb530a86dadf0a8121c56175fadc85a4fb93e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
2d86de5468dffc1998946ff566114da0

SHA1
a8ed19a40f34d091f1f7c9fcfad121055869514d

SHA256
5a645bdf502bad3825affe1ab25ccfbe0b416c604019f2e8b737075ff7ff73b4

SHA512
edee1df2a304d62fd6f22f80283197bf0bcd8bae1a2d7a2930b9a5aa419ecaa64ab3f51da83891dd5311c9418e78ce5fdff1b3f497dcbf8aa85726ea34285ffe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
97e63fd597a391406891f813780b5b45

SHA1
087ab11825430f17e8d9ed0a3ea8a55df7ab7a44

SHA256
6e240969280665ec13f097f5d15a756e08f4dca133dbfdd03be332c81dc32dfd

SHA512
f88774edfe970da333a11f0af5a0b2dbf32e2a571046f23bdcbf74a0abc375e4201d6156fd82d538d6552a7a042b40a562bbbf9a2111c70b63bdcde7c49dec21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
ecb4b3f8b71869fcf7513fe660c0e6dc

SHA1
fa6c68bc8ab6686808dc49e0e7a4d22ad5009930

SHA256
58cb57cc1da4ae64b1c3dc2f10ed3f7ee6432df263a00066a35ebe13b00ea2d1

SHA512
89b0e1a4ab4e10a53531d18830743c294d26d1224fbf2133fe97d6144002b3b10d501558d191ce42445f6daa0f401d45c5068f502d6ca350cb3218c38d228584

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
a2e78ddff83fc5f02dd71b4b10e23755

SHA1
3bd8c3d0465a3de6b34a01e7019258404bf09aac

SHA256
2ad187dbd75b8d1389e2dc44a5654ca3e3fc99e68bcd2459261db95fa6fff755

SHA512
634304a87dcdd6dae395fe4a4f0e3daae397ef2e1466e2ac18500ae36d5319c8ad35d2567abbd1c40fbcc85b89c440019300b2e12e27322ea4fb1661c7d778ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
d465a25259f5be5b9ec688a3e31be56f

SHA1
4fe383d5151b76802b8f0fbce1ab13a819f72a77

SHA256
f902fb077de5621b51811c7b19bdae426a05dc945c16ee3b318937238d21ec12

SHA512
2dd22c8c0e72422d773c8666fde8463f46db02f70d690301cee1cab8186b235eca0e259ca973acfde3f0437d266c2e09e9bc7b3ff6086f8a5ab7fcf8b748aaba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
bfd310458ad6ac1f5d8533e10405262e

SHA1
000d71b722ecf3b333f9cfa15ea34f7729353725

SHA256
95371cb8a337505337c151bb2c10c49029d801376994293b4e06539ed9c54e84

SHA512
b4796093e64939d53c0a1ccbe1e989678322913ba8dcef18ceb8c50916d336b099ac873173199e00e9c14949c4ff1fe2f7213b183d88391433b7eb60f1d0dc7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
c07a141cb9a94357a425e2c4a330d8e4

SHA1
eb66cb3783729c1c5d51970d7f3ea8cec933c135

SHA256
5d18ff06961c5f829fbf734413ebc7e7fced5ab37e8879fbafb183aee8f1fb24

SHA512
ccbb1774fdc4d5adc35cd74aa44f50e5f7ef2d9cc76952edd54290fafe1b76eb12dec737457f15ac9ab1eed712035a00717f9808cea673b3a5824776ad0b05e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
da2ac5fddb8302423c867912ac653125

SHA1
14672c30eb506d6d4dd0002f3e90bf5a026609f2

SHA256
25f4f5a1b79d729690bde82da78013988bab13629cc74e20d92b378744f8c482

SHA512
4fafd5f7f7cf7bdbec261746350d7a539e6eb02cc93d8fed7c60826fa8ce608f90023e1f5d59006712daae9ab6801291de2c5c9dfe1646d53a7fe4d4731e9fd1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
57e4021699d3c4d72ca0e9ffe872f2b9

SHA1
0085afa882fd7d90c0ae3bef041138bff7cc7a64

SHA256
9fa1d73a1e52b7b500401ab71b3b5d2115e6c4fc7f871c55386c144c5e7d3403

SHA512
b1f6661c2802c7d985cd629900c79fbf766823d8e4c98634dacd763564f1a958f302265653cd92249e2cc824503f02389f41a2e189a1c4e14c7d733da6b173bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
10e851962e3e560160da40e22c233566

SHA1
a1f9b95bdf8a9335e00f9b625994f1acfd09c233

SHA256
67072435930288561ce910a9c78cc6fb75733fbd33387c09c615b63502173211

SHA512
cecc4696ecce2cb5bbaafb348e2b9a2fe8d998645274caeba48279b7a6243a504e5ee88b0ab1ada5e80c7a3ee3786ec5aa6b1a01b4230ffd4443e262c6606dd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
d8f8fa3ef2415d9f79d1d97274d8f700

SHA1
7ba66fe8fa92ad04c2509509486d8d62c475f105

SHA256
d39e52ee0ae880dbf846453a863b9b5285b8d7c68c84ef338d3ca6f9f00fcd46

SHA512
fc41b6cc099bdc264687b127be38b698e67e7472a35453b0b29be47cf045e91c268d5f412abeb3d9df136ea38512054b7ec2da29b4c55af8ee479d3c86c9baec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
28f26730169685f6344de44b84cc4b77

SHA1
67273c82377669d9281e2b67a56354fc052f081d

SHA256
c128281c7880ecf1632101d859437a0fd11cba8dda1fbb1d0832130b050fd798

SHA512
74dd8706fb5fc9529e2170c5cc4c0b57569685b2dd8c70c8cf68f0aac87324973eff30700fd020fc4877ad9ff47cdf3d8a4c86857bb5bf89c6b952806a903320

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
2a5ad09cfa02095492df88e6a07446a4

SHA1
ebc728581090f680976f0fe3b4e515020691c643

SHA256
560fdfb55f33c073ba9eaa07468e9ed3478cd8760ea930ac3bd1028238255cba

SHA512
62ddfa6c53eb1375eb2e5a58008130ce7ac0ae4ed9716eaa57276e2a9dbe9636fcb87ff56b0ca6a6a24d79544075e3b444a64099f5f1299a2da23d795fba8ac4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
9b5c76bd865e04f26bc3cec6d6041dd0

SHA1
c75df99151f0d4e1280af6242951ad52b2a75978

SHA256
e1763f67870a8f8c81258a9e166fba019cccb7cbdb9a538b7eb83195a2cca876

SHA512
0de27f721622e3cccd1d22fdb67c39676b29e08cf55746251ea27bb83ab0f695c288c8c33895cabd1ac26b16cd33c4ff43c3546985c6e08ecf5479b53918eb55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
706c8c75816f3bcabcce9bccd746546a

SHA1
876399488bbc5689ae66eb870f8a168f6153b83f

SHA256
e04f38316a7d5301b2d2f7ec90ae10ef6f94963bcf45f0bfe968dd982f134026

SHA512
40bd3a257a346cf65d3cc3bc1d5ea5651a7fecfc7b95247835ecb97d369e8a5ae24c8bd504896b84a0614fe49acd15dadd760cd169ce98835dfec8c55bca4515

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
879eefde0b4473b06339b1972aec4ace

SHA1
77f54ec2f78952fc95b317d618055262100129a7

SHA256
32e7197f5f04dd171790d1e37ea9bd7e4e1b4175adbd086515c0ed810b01dedc

SHA512
6ef0d12403e151f56111e2d578ebea2e817714e6fd2e18b5b0853aa69830cf10c8e8195e76768c4603eec7952ebaaa6adb494a65a2e1bf26080f0283b831dba3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
b0f67202ca44892ecba793be6f8bbec8

SHA1
122a5afecb0ad2dc131a9d39f84ab83d5fb1f2ab

SHA256
1edff86c01943206a8b924791ad102162b2aa5145ad200a8cdf93f65dceeddb6

SHA512
bcb6ccf222c9427f22c78a783ab983376dc89e98de9e10ddc2eebb221e1dc2f712f81b22a03abf0f3d44edacc41d9a1d0d27748d475c991c27ccaca0dcdfd6ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
32a245b4df8bc0409f74ec5f1f60696c

SHA1
b8ef2c1eaecc2f12e89f8b7dcacdbd2eab53bc4c

SHA256
86177a1b6e61603daac5c6bcafb932c616539a8c46b88332e733071406dc7771

SHA512
10e9f7dd678fbec010350f2038a44083272ed9d9b544d68cbfb6589a959cff7693b34457ce13da72ffbb682c6784333a20e4e5925a7c3fcd8b81a6dad0200210

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
c0c442db3f087d2f5116cbd1e10e79a3

SHA1
48b518a2ba2c83ca069a785f541126ca7d3c9ef3

SHA256
301b65be4f7688ab1cc22cab70d2bd99703c3a0dd7bfb13db847ab64f6d83e66

SHA512
85be17cbffef4390f446a08eb54ce5e1c76b21730b357525ba24f0e2eb25251ddaf476cd89f31f5f6701347fb827f4070e14a568e56fdfef9f9e7b0b6824de64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
09a6831885bc03387815744c2c56f3fe

SHA1
7bf603ef76a929905733b88fe7404959fd03f9f2

SHA256
c152ad863847397fc64ba19b23a5378582588b56629fd8b454e3d70b32559edf

SHA512
0bc6b46cbd6ec8f86700c6efc17d2e7ec31852ae773529fc35998365a8f7874883d8a7a1da30b0d07c0f588e926e60ee81fd78a9d8b02e8db30537d4b9fc0941

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
975f6f135c9233109c2e266260475dc5

SHA1
2aad0cd89ca3a24501903433afb9a739987838ca

SHA256
fa314560c3a765fde914b6abd333e5158f3fc0cfae92152763041f27bac08929

SHA512
8e08b0ac88035b82db67c4e1258b14010a245f41279a549630def881fecd555dea80d9dce480872ecbc60a66cc61edbe5afec01e93ff499aeb260275833c8ba6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
137e58aad3e409cbff0c50ed12590ecb

SHA1
8f41995d256cdcc8e3f492e6d6f2a998e030f4c0

SHA256
d1809e49702825f8ce35937cdc300b1f5ea4b9123a81d76054fa35daa0a23663

SHA512
1e9b573640a753e2d05fd162e123b9698f742f2f7330191f157237fc7aaa923fe793aecb804d02613f25e4c8b916fab32513952846d0ea918df0edda5dcc5bf5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
6ab83c33a986fe36e4c59f8767fc8e92

SHA1
55eca98e8958ce33605c36f92e997d90a4e1d03c

SHA256
50d16aeb14ffded7dfb17d3a3ec492db222433e09b07e87caa230723bbd3f279

SHA512
c54f07cad72211dd55735f345ed566f0c5e7488d7fcd9567c14b1bc21d3d82f17200d0c50569e1c9206d82b38a781818f2af709058baa0a2d2e39ce206b42f85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
388ae77c475eeba468e23b7c4c6c9713

SHA1
f006e78e9190cb54da81fa602f4601893e9467e0

SHA256
d626bb8e90202b858540a409840a3d2c7e78e02ff96752ccd91508530a02854d

SHA512
29e375555182b3bea335fe97c55d2655b621508374357e35bd289e43251124ca5dfac215946aa3f5db6c34c4e64f0eab5d53c6cdc1ef7bc5652f58ad7ec99304

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
376e42331d58eee61cb92b7cc1c3deba

SHA1
7771d3104ce0d9a634b10c6681110327380da2b8

SHA256
03cd04b63d2d22b03f4bbb0261d6f97d41f5240c2eb1b64613295942c294302b

SHA512
2613ee912faf31ab7df44ce93fb3efc85b90be2eef997ad14177ba4b1e35125c32054831e4286e154ca783a75c3b51a6f41784364c9e8e0253267fc38bec024e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
0d971c5655e86f7f1199060894a60113

SHA1
9f80c7936c0df9e2d3cf7818abe21c7587fae4aa

SHA256
5f8669649c998782accaa52a5ddef115e099d728f90c78dfd41aa34e9e72be21

SHA512
d4677396281df7d3b797b5335385262e4e21d4a714c798411f6f9fb6b4dc44a1d79dec463a5d9667fd6e7379a7e7a9f5ebc22dd16988768f16eb283255a13fe3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
f6b63ccb051e64c16307341bdde1a95f

SHA1
5337951cb9d6bf4030e0b101848c32dc341904fc

SHA256
2a346b520887a17210903e32eae006e32c08a0dc23af5132dc45b7b6beda547f

SHA512
d181faca2be254ccf61eed092c9d2a79f98dada2be4578eb7787495ed0cb0f728fe00bbee0c3403a9c333266a42cc7e7a248cf45cd96a0dfa60b5956182cf01a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
b126c338a544f19fade9d954a2ae4635

SHA1
ff2459f90c00924db8fa74c6e33e73cf8c1fdccd

SHA256
2f8a9e1df2507d95c5b122d9ccad770081e0afd88468018a6feaf859c7486373

SHA512
3087b0a8118b6dd843506f4a79b0eda724e1a61c4511d462d74f0dd87531320f39b5dd3d8e127139e4822abac5e37b71d59699905d7669681862e95626ace299

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
2c6e29ad05120b3fb82283c1d5b16b35

SHA1
610315a13149fcd0dd76b46ae58f09a793481077

SHA256
f148c452c809f57015a396511c105115d6aa8830716578b68f2cb07bab4059cb

SHA512
ff6897d277f2c44c25fc6a999e9ae508ec6f51192dcd9fc7ef4de1c6d363bd622eb9d6b81e37edf3c48761a590385ba3752f576d10a9150894b2810ffae545d8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d12c58889f1cf8ec5e03b582b7d530b1

SHA1
21a51a39c2560930c363167998810c6fd1e0892e

SHA256
2a5832a346ae5663cfb458c8499799bda0052fd14d054c200d6f779fb398cff0

SHA512
d845bef64d50794ded398326de53f8b3099725480a808f8b46d186a26abd9460d2c620293b966fe65ea05713d878340f9eca631ce613285df49f281202b2cc39

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3b54248846feea2f6634d8ee5df36e0d

SHA1
169ab10ebe0da3ab30ac8e1fb68817237dfc6245

SHA256
ade31ebffdc7a762da1b7ff04f8157f2f1a82bb5273eaa2ee5cd622337673458

SHA512
4b63c8ac2189753decc5b4ad78f012d702bc192a5c2ffc2ee9b0e4f9e14d981762b79cf9976839b0cf855c95a3b7854a766eb66a0723b2bae22332144d668282

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
6a89e4b0f7b13a89fea617c87482d55f

SHA1
a34c64522bba57e81d7985aaec6ad8a3095df167

SHA256
066276d26a5694f40285fca92989ce00916c6018b446d33aff5752e98d5aec59

SHA512
8c17d87abbe8cdfbf89d612874e03f3f02bc22dc380d35148f9d0ca53e8c7e4f8f2964ca795d897ebc76ab9e11621c43cceace135ca3578aa1b988800002835e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
f26e37f20971e4c57b39095b3e0e071c

SHA1
a92db1adb569e404cfc2ce62216aef5c3916661e

SHA256
9ac02849c677881804d1bbdcbd97d984ac88775ec240a661c34172e10ee06b9c

SHA512
9ce082c3ca4c14c916bdbe7d104eb739e632564ac4e69c7458e13d66394d8e338c20ab8bf55052bc13d71974332aeddd6868c96cc3e1c9f6b96d5b6b6b037796

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
16B

MD5
98c8cbe97a9efa2a472dd52383c0fc95

SHA1
3ecb1074c9e0eec42be2c6d15cd3143d1ed3655d

SHA256
a56d8c12717f5da6cd2f5e9006c2cffdecb08a916fa125ebeb16ef997c792e90

SHA512
ef94912ca4029d1584339d5ae2ac899df727546c64941ab46514fdb098e3b26c6f3e2e30a8e2fb068d967b371d18fedef256e1797f794727cc8f0f68e7c0e57a

Download Submit
C:\ProgramData\svhost.exe

Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac4622b1e231f1c1646b75d0918706f8

SHA1
4bbd8ef79b3d9e4629db9624a0b86c479b8b0d17

SHA256
8fdd38e1eefdb9bf5b08b8ce07de2abfe41eaf1526d2b2be51fdcfca30970d50

SHA512
540702673531d15cf3103c2fa2e3190d425cda3e464195dd80b64dc7dcaa0f75b7d92d2bccfd872d9eb7cbdf6e56d1894617f19757b6456a94e90deb9dec5c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da1760c4eb77c181c95fc871c85a8254

SHA1
a439108978561b8030d4e0fdf122bd3d3399bedd

SHA256
8fb293a668e0feb2045d6ca6eb1e803dc7b29dd1365f81fdce9fb6be84443910

SHA512
e0f491eca840c4f69f4f80294dc3b2b52adb2589320557218546d1fe7c430c1d7f162f05aac5a024f14badb030086018a18391e630108b2ec024a3358db704eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3666d5b2032e95fcf7741c7261a64cdf

SHA1
7093062a119bd8e3e927abda4a29a419c545a257

SHA256
d057bb05ae1268490aae4b7b192ac0c723ea9e5321b68ea7e870221f1d49e703

SHA512
68b9ceb1b9a6fdd2359923305caba901ce60101c84712d7dc1d308558e87326b943e046262328f2fbcb00925c434e6ed4ccf9f946544f1234d682ec208bf3df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
325fd3bc0801ad94be42f1e7b7686809

SHA1
cb83a9d26d3d9e4c31448ea7cc5073ce42245cef

SHA256
2e820624cd4321cebc30e5224093d35450ab71ed5d9be8536b87f15ac1e0f851

SHA512
2ae2cd72a13df81702dcfb8c228dcd39959e5f7e832f8d27c2c0d1711b97ade756d126c59c15f0ed1d01b2aaaf763af73b4602ce5ee9e5f15dc388f4e278d60b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e35ad44f2dc98920dd004518fee305b5

SHA1
ca5d8332551ee32546ec6f3c003096a5329b3850

SHA256
d95f44d0c5ce6858b2ef6a35bf705443942ae8f3b115b98aa9ef8641f19f5a5f

SHA512
2892f71d1b2aba0e01051c654e1b5d849835c8cfc3f0ce5336dacc6ad4c6a7ebd37eb7d3525adcc79a786dd675684d26fb802f865b3e46be0f7d55b6768c7c8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
792c599e16ed3a0efbac2fd24378f260

SHA1
bf627acb8268985c989401d7fa0c224d4850105b

SHA256
777507abf579da83d0d58dfa44a045933466c165c6b940b54f9de9920858f765

SHA512
ab4228b266574d3b7e0c8444e62eccdc18bcae18992717f396e3b3f28c7e8adc275383d1219a75983247bc357e8614590a556421e769fa0d2ccce1649c098c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42361ee93ff7c0d1eda081b00a4df761

SHA1
a0dbe50241f152fe1e30bc99a0634fe99fbe3061

SHA256
cad79d26f335e73df0dd3e9b7c5758a03166318cdc87a5e42a45e518cf9f10c6

SHA512
cc20e7cefa146dbf1f3feea5d2011f98de573554542782647eb7d8c902be8a2236df8e734efc67585f13c0678cd2fbcfe76b3afaabf0b6cc0797365d1e73cbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3c8b78a26e1de657a658ac61fecccda

SHA1
665bd442e9b686afd0b7313e0eefcfdd13cbf2a7

SHA256
43c51a28f60bea462428ad7a9e337e3bcd34586b85620e3b2ecfd4e39b894705

SHA512
8bd67edb98f0581c608828a611cc2e56becbbf1aae7e6ca3e45170feb8073734859a877d49f942d25965c38a2dd04c5612fa64cf5d63b627477495b877e4e98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b79c6eda4da587e4c6007963803f979

SHA1
0f0d3456a8c468cff68147240ca482fd7d7450bd

SHA256
9dc3d290e698ebb8cfdcfa15c905db765af1e957fa962c9ebed23f257b3569db

SHA512
047e1f056257954d838c7c6d8db01e7b0a7484bfe25421e644a2fdbffd73d54555861bb11d1409010bc6c91473ada07cdfe922602dd901345131b4da7b263323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
954e44c4e00c9b319e0f69133965381e

SHA1
5309828749fc67fc7c6068ad803f376aae7cbddb

SHA256
0ad729ddb715b238946e134eea13f7925952cf09b5965b5f0178ce5f18d9435f

SHA512
219f8587230a37f0ef159e3225c5f9cae81c7ad1bc46461b7e2d98a9918cdf932be4bdf9025b11a770fb2e0f16a63e53b6366892d35c99645e1fc3fc3543a8f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34ae058e74f25e33249431935cbdbce1

SHA1
057c0eeb180f646477e69a8c9096b9e06b5d9f30

SHA256
bfdac47a14d57b8dd838af258a3f2e9eab4d11543b93d98e85647b521ef70934

SHA512
fa5148c09328df19cfd13b39ab0be713303390e8039dc923ea3a924f2ebcee9d263f784f351facfcdad7edbc12b21471a549aa78b1b450fcb3d7e4b758c0a86a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b06f50ba771835ac156fb1d861f6bdc2

SHA1
a9c53405db2c64f3e9373ceec9701818b22e5139

SHA256
f9141f429aa486be86e7ea18f29c4b7e7a0b0431527e1467e4547220c6b52c35

SHA512
d00ab816aa66cd584b7d2f6cd3503f7ce19f7ff5ce435d5b512402d43501c6b9bb099abcd2e0d5a4609c00440b1876f53211c7584d64ca67a7524414725b9ae3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691bb18b2aa65ba17bfeae1ea51ae705

SHA1
ed0dfed71f90c4837b531e2b6ea5fef58bfdc039

SHA256
7d96b63c3c6bf00076793d6889ed680d6f646e38cc9713af01e412421aca6149

SHA512
848f43953f8513f751f439ac90e8d2e250a8b2d10dd5e2af58d69c28efceec553e7ed97fb042b8d8a8f63240ea9eceb8f8c0daa618045deabd06f5520ef67990

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a6674a46d71f4b29ef3bce0da8a54dd

SHA1
5bcd3f7fbed3cabdf168d40b662eb18100e81b1e

SHA256
52a517a8257cdd50ad005e8b3bc13c393c857f50971076bcb8dd59304f8b7ca0

SHA512
f359c72cff89d4e3c5377dc8b33777530b0ac3d6876e051d2ecdf643cd0bc2f1f90feb855334515e00e52062d082fd872bceb136387a791aaedda4c9f32e78bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c465067ea7f6bcb585d6660db29ca0e2

SHA1
98e4b2b2e24204c02d725f583e65a477d7017359

SHA256
a104c675565e653f383ee579b0873bca6975c06c7d44193647113a1627b531d2

SHA512
e6b59f4d4e75f080d5e8cfb93cd43dc07a09a037d17202cbdb3a3c1a4bd3992e2d606cdb86719cabe70ac32226bc77aea88349c1057ffa07b22a885596d51c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc80651d89b8ecfc71ea24f4a50807a7

SHA1
7af4632aadc406041409168ff3cbbbc006d230de

SHA256
4ab42be5e6690f7669a5e9026600c52fde586f1e98e0feb3fbb3cceb7456f4e9

SHA512
1d791c9bf20454e20f04edfe0485e849714b0f228ed026fa975ef9beb3b9a30c84965ded6a747725df9c53e632b16347ec6c7c291dca8177dfbb8fefd52ce0ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ac12ce61df8f3d12fc60ca7a36e311d

SHA1
9baa54085b713aff109fa884971aa8f159e32a49

SHA256
025994e15decee66c886e779146c2d015eaafce7e509deabdba58c92b5dfb202

SHA512
a3306204ae5c06b99f728df14c34192426557f8088b4246509e0ba06c05e95f9e541a93360fbc4f17bd3238c94c6aee169bcbbe63ce68074bee67181de983dd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60f68d5d8678202e5b5a3be42bd307fd

SHA1
a14b30d6bdd341537c33fd36413e06aff0891f3e

SHA256
463ec58005a4bec166313613f1651893666945f37f3047ac3dbac3b2781dcb0f

SHA512
3c5722fd156f0b55aa96a4ea5276d45aca2204e39118ffd5e6376a0a4d90de740410189f05274796f8cb96d07204b01408f45f7911a106eb82cef6daaa62d04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
669e16f9c079ce648eaff69fbffc6946

SHA1
37497e789856af7b893a9c0ed945c80591852704

SHA256
470d1594610296b4d213fb7bec0cc8491429f3dd3dc9daa41cc192b1a79edbc2

SHA512
8f30d0730da72c8a0716c15b4c0ce2718e04652c0cc590e0322fb11775252b7a577533cbf13dd836f5be3160fb6e04a879dc47ad8b1b0485a07bca08009f6b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13de1233658522a79b5b265591ae6289

SHA1
a2f1849f76fe10819cf1fc532e4afb4bdbf1c374

SHA256
817fcb180fa13d875083dbd52b2f1ff647b28399acf9251555c8bd0b75e37c5b

SHA512
7085ef97162c1833d852d7ca217649f611dbcacf550f41947dbf6631efbf86e3f43c2a72f2bd16133fcca0feb2ce12ca3bf112bbaa64829610a16b1afa5e317d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b76ca1b563a3f7ba64e94ce65040bdc2

SHA1
9a12ea97be868190c6923dc7b83f7cecf1b1f218

SHA256
9d236788408aa276125d7a10adf06b7bc0a34ae1e12117f0ab1bf1c7e02f32ee

SHA512
9e84534eb7b11980a06ad4c53a08a320fb6885650840806dff841f0dd12f292a820ba6ffb1fef9cbd21611fd96357955dad03f5b653de0bf87eb02545fcabd28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ea84b2e08826a0fe6a13d2d5d5139c2

SHA1
db657076add2f939cfede01d1b752c03560d8167

SHA256
f6164d5e83055df18cfed24145eda60b681aefb3250468ca66787dcb361013b7

SHA512
6718a0d6397dc6157cd61cc6190defed8bf91f82175244cac5621316db37d70613c5e94f51465f8f8b9f134149e6b53512472608ef724007f3094d4dc02cdb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TNPG4FQ8\favicon[1].htm

Filesize
1KB

MD5
e0dc97debdfae982ba9dabbecfac652a

SHA1
f5dc07e878fb3b4ca3ed0a12e2b6bfd0736a04e4

SHA256
93c9b4deedd8116f7e455d5d87ac74c50cadfde9e198af6607f4ad2250cd3ee2

SHA512
2c792cb18141e0129290ee82e81956398c405b575ca6d8b4d00253435e13351faf79f0dbf4237d3eeb9dba5e9d477f07d1528c479a16d73a48a46539287bbd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
69B

MD5
7df1fdcc5dc12f1b3d58e86f009ff089

SHA1
69ae6e65fed1b7d6ed8d76a179016d595703aeaf

SHA256
dbe2b83d611646584b4bfa8113e3b412f1c02ac03fa28b794a66945db28ab351

SHA512
a89b09e0b0ea60430e18b6f53cb65712406f29eec736aaf0d71ef2c5bf2d223d1ca698a013b52a0555e640073b1c2d9236723b36dc99cdab3403df8f1984e2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
340dd4b65ee7336640d434db028d84c4

SHA1
9b06d1fca3877d52d5c446dcc9e3f93e9dd55d0d

SHA256
7f8ac88d588d6432a1bc01601f3d59d91a075f7a8ac84ae0372f388b576f24f4

SHA512
baf77b34fb3c3ec461b4edd35e82c67a19f9c53d9889ed871c7e39f6464a52b96c46de03d52b25f478ff707e06a55e29d91199fd8cefb8f6a139769d6763aac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
1KB

MD5
9df9c12dc7e354a1a4496c7b6a504c9d

SHA1
d9a5f1e4df1561019f159c3ecfc53cf35a760cff

SHA256
4ac37e8fa137be272583c9e52ffcec8037c1b731cd80d3d5d7ee345d8bf5d803

SHA512
e7cd9be5b16f9ba8450918ff39b630ee1a4c0a55f3fba42d9eaaf0bd20ddb5b07f33920ae54e65ba09e1b3e9bb5df2c36af473371e608df90a2d8cb938772334

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
1KB

MD5
cbeb5f62226bd5d2ebf39625b9793505

SHA1
5d8549bf052e247bc1ca3a76bb9a62110e37f68e

SHA256
af422a2b6ad354926ddd66fdf0e3ff93972bb68aca4be0e6b4c72008765a8263

SHA512
2146b302cf5d2088dcc6e9e7276c91c1c5ac29deca403fc5ff99e30bf0d08b14d7b97547b16fb765a5b06a2f613e6ca0563a9a86c39ac83084c8c34110257c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
1KB

MD5
b88bef2b4a07ab9aee2f4e25152983b1

SHA1
ce6174c3ce668ee46d67d13790eaf16a3b174609

SHA256
0e6945a0390227b41ec8543075f70562e5ca3ba30793621bf7829c416074aec5

SHA512
491be5284cb72abaed9cef3fd4ddc94a77792bca35cca93345ab4239a0224c5fca7022d609d20d4c1a5c19616e225439f321f487895c886238f96c0131719607

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
2KB

MD5
6b1c6e6c0583d1b6ef2126ba92ef8039

SHA1
92de1069685ad1c0722041f24d5755b2526653bf

SHA256
c17e46820b0e01764c6f8d0991962bd4a28c38b21fe200985f62e7f5a1c10718

SHA512
f668b708d895d7b1cf0230fce7ce0ba4afa82c2a5b818d9552b5d30c9f9dc7a7e0e731bfe7d6ad7252aa6604dcef58a63d615f862aa9b37dd3963469514197bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
2KB

MD5
720bc53b03417812441d91938190f3bc

SHA1
d0a1b8b068a54f5e6d897001cf532af093584493

SHA256
316cdb1a9bb64588a763c604275865048f5e0f17a5e7c122b444025ec236cd2a

SHA512
5ab8b113a96c40fd44af24d036b43c84421eff3716cd41a97a25710d7b4f48d437c0c676267620568a0fdf4acdc5f5eb18a8b6b21541687620ee8b290c22a1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
3KB

MD5
9a51cfd604e950d1d018e52431c31b6c

SHA1
138c257c324b092146b099c73dbff844f72e8a97

SHA256
4a98622d6ce9c7984ffa1312029a768605dfb8d43c5cc662a9b760d31ffda355

SHA512
66526e0f3ba7f0b0e6cc6f4a26fb9e54925eeecd015be18db8c25b182a35331edaa43acce746b82869b6a1b3873fb1f27c3412efe42bbc9e88546300f6db66b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
3KB

MD5
b03162e3509cacca8359812b47d0576b

SHA1
e69db0695c04387fe8a142d7edf7baffb0008b3f

SHA256
1bd22c7883addfb29570a1bca677730e333e729220d3e82afed91e22458780c6

SHA512
29dd34bfbf23d59511adf593eb5ff9d4c3f455288fd9c5749d017edd5d2564269df38b2c7d6d06cd05ad8506d9e6fb8040af267c3b6bd1176c9512746725df9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{DFA61F38-06E9-4E86-860B-AFF945093527}.session

Filesize
4KB

MD5
8f903fff414bb2c3efaef90c0249e9d1

SHA1
afe2c677170cb137a2b787272a27b782da930620

SHA256
dc65ceae3a7c71494270f07bd9eadbead5efd4b151e265f9744a0186f94f59c3

SHA512
cd9537f2ce9e985baceb2932d41b878d673fdca6469a4f6c23f8751c24b10774a2a83b62104e7451ab10409a098818ffd553f339040c0e0b329caa1401e8cc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF450.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240611_230123921.html

Filesize
1.1MB

MD5
f2ef9c57a622154273c793bf538c4fe0

SHA1
41f07b3ef454f7cf0b957725f18b64c9dc38237b

SHA256
4ceebacf2660e26bc66518d2fbf5b9948e42e6fa96070e61b12ec09a86db1cd9

SHA512
db8814509a6cb5b65390f223f580f4cdd4a10abb34567d089cddeeacda49cfce3de73e270615b4d4f94fd67bb90d91301523747fdf74865d980380534e4a1b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4F0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfbazs.exe

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b1ac8e079a649efa02becea3a5d0985c

SHA1
27ae68692e1ac5a67f3865f139389272f696e13d

SHA256
e663619015ba1751da2a915ace1b54f733670906f441ddf11ea5424be19028bf

SHA512
46d7459f5cb01981a639af9eb7407e22aac78c5e518fcd282b62b6daa8b199e8391c05688167b93b8514227f92e319aee194ab928fd2e0c3787a437603f31356

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

Filesize
724KB

MD5
bab1293f4cf987216af8051acddaf97f

SHA1
00abe5cfb050b4276c3dd2426e883cd9e1cde683

SHA256
bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

SHA512
3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

Filesize
24KB

MD5
e579c5b3c386262e3dd4150eb2b13898

SHA1
5ab7b37956511ea618bf8552abc88f8e652827d3

SHA256
e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

SHA512
9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

Download Submit
C:\Windows\Installer\MSIA4CA.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\Installer\MSIA5E8.tmp

Filesize
96KB

MD5
3cab78d0dc84883be2335788d387601e

SHA1
14745df9595f190008c7e5c190660361f998d824

SHA256
604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

SHA512
df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

Download Submit
C:\Windows\Installer\MSIA5F8.tmp

Filesize
128KB

MD5
7e6b88f7bb59ec4573711255f60656b5

SHA1
5e7a159825a2d2cb263a161e247e9db93454d4f6

SHA256
59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

SHA512
294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
64B

MD5
372323825b9ade505530e4cc5db14aaa

SHA1
33804efd902d96dcaed0e68b271b8621f8299aa6

SHA256
2535f39bfb5ef0bf2bf336d35423a3ead95936db9712556a2ffebdbaae5ec5c6

SHA512
ea0a16301d8cafadb82533859bcc344560b1632e09b9accae8d2776f0363410abcc989fa1199bed9e7ad30d72c6ca03a21defea986acebf83900bddffdad1abf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
80B

MD5
43691c6a5ce84d6a911ae539def67928

SHA1
88e74c158be8ff3119a46954a628b6e5cd933494

SHA256
4dfa6ee97929b0bb9faa63a36b723ebbd213b1e4423b7f83b997e688cbe22f5f

SHA512
43ccf9be03ae3a0428cfc5684b683ac61cfa938922d49a0ce0645491e67904975633db5b639fec6c572d77941ead61547f8c2b0f7047b6a6efe408cf40da02aa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
80B

MD5
c0fa91f629e5670d0422c35e8fa2f408

SHA1
cb23a1953924b264a3e590471255239a00118de2

SHA256
7d881712269cfe4e9bbf10e25e55720bfc17b036cf5b27cef9e9aa2f2c7ac850

SHA512
447523bf90d3e841ec69d8234b66e5bb8031c111164c16727a8c1a634155b3da0bdc9ee5b3af04fef0b7e0692a4f16477d9b4af795a658df373042b770023e1c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
b590a1a92134dd60f022c06f0979d771

SHA1
3e2cf1d2febf7d42b4c00bd0c67c9bf636681e7a

SHA256
ffadb58ea8db16c82ce0deba23c924740b7524311bcb3389d8fe4662046dac3f

SHA512
72d0c942029406a589b54a607b9671d5f15c847123c038a419bfaebb8860f47f20290020eec73930def6a42b04ecfadc55c3f518e047b61937db41de80363964

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
a225bb6a537628c80d4d084c3ea40345

SHA1
614ff305f5a1119eb7bee705e9436ed303a0764c

SHA256
ae9206d5272782bd87086d5d1090f5475797805840cfa0a6d5fadaa9ea668c4e

SHA512
4b69513eb0db98ef5a614601e728e5ec2b85b14e964e8affba0aee0762e866b3262cb70fbcd92ef2216d990705fa47a560f6d5a2295eda74f2f9b9cd65da7b29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
4ddf6267bb7b18373d647f4925e26eec

SHA1
1ce56c9f6eda266fe3ea8018cd9066c9779ad569

SHA256
7fc0bacc9eb5aeb88732ddd3907d544e9c44b84cb58f7bfbe7b9e2b2ea746a5f

SHA512
8afc02bf94aaef661938d8e6b1c680c0ffd01657c25df4dcdc82141a86f5c92239c084e46526686eb756c735303c073940a234677b5d054834cf9ad3c11b230b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
4e7121196ce93fb4fbab104de4ec5a84

SHA1
9e321649b9ae960ab2cd7a01ee9ce2454d7c7f67

SHA256
e03be37d4830b2bff29d863fe551a52e2fdba7d6e251e07d2760e99dd0cdab4a

SHA512
ba02c838a34bda60902f70d343080367f34a0ad108ff876793ff26c6d7581d118b035c78bf55f8732cdd4670926597f9bf6cd478d29562a6df8d1912a26138f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
2ac9f4ea0eba1453af4f98d661072421

SHA1
791a6c85dbf6a68e84b5a40fccce6a6fbf5c4169

SHA256
3574e0ff04d0f4fb5fe598f5d5489e5c7d0c6064697511ea2b9be2040b97a174

SHA512
1a178775f0000188073f660d9c9a868f606d3faef61cfd18bd2a46e4fd0431493f0cd038b952f9ca60c70f7cb8532ff719868bb6d4bed457ae0224f3b3033a3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
dda8eec428a18a3e6b8c434da8d59ffc

SHA1
1e07dd8feae5efbaf13593895cf7723741e64215

SHA256
1439312ac644678654da76e8c768b08eb8be03b9268890ea71aaf23f81498dd2

SHA512
0a60f8de6551eeb721d91abbaf5e02af62b871b8840cafe3561e903cc04706812a50977275decec3a8e974147b37d3f17ec843f11f9ff1da5015d9aa294e0ad3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
1b6d6c59f36323eda68e0cc13ed3ecdf

SHA1
cec37312ebdb7b446642de0be59e9ba492f8fac4

SHA256
2e885df570e97c02340ca63b39f48f70f2fdd567d3936a1995aadf3f82e82f44

SHA512
569770360fca0d26e788338024cfd5f4eba8961f2d6d12ff1b7a9a8af1356ec996a248ce7b99fc90d134e129b996e5e3f5956577a1edde3c216b19049ec8770c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
3c79746dabf6c3d904134871d34bccf9

SHA1
31251e34b1ef356cb3d092c84e3396284e7fce25

SHA256
dabd1361beb08c5e87513350dd0325d843b92471ca69f0c34ce3fb2662824123

SHA512
6d9b2d67a797e933ddba471f3c8ae9dc0e537c853f2eced52f220caa49ca6002953afb18d5b2935efe5bfb4c8b14fa209e5ad5ee37ea5cd4814cd8a797709c3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
823b804c3536ced5927cd88b86151b5e

SHA1
c806ed3099751dbfe9fc0288abb2ccb93ecc90e0

SHA256
65099047af9f9c7c473368d38fbf9a699a38efeca9a343900c761df806017d33

SHA512
1ce21ce4aae0f396480ddb42710df17426a69ce605dd8d6ab995411f4689836a7ba668d6b2888e2ddbff6b8dd5c068798e9944a786b770631ff4a7e3452beb72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql.fantom

Filesize
34KB

MD5
a90d887e08e0861a0785d9c90a9bb003

SHA1
ca03157383b04829dc57f019f64d5341401b1b03

SHA256
9678b6b828488ed160b06cb054a8ebd9b49dbfbf68de6c38880240d7e2aaa456

SHA512
0268d3496335057412a6f23544b19a8d6ceaeac0f57607207700fdf9ebaef3192f670b2fb3b94e2ffb7e64bebf19b6761043c9fde9fc0700ffcfd7b3e01d5b27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
72d4daae6e526281d9e01a7e4da15a8a

SHA1
723af725b2722aed65c3896655efd4d1ad651390

SHA256
08e5cda659e9a027b3555888f4d387a11150cff29543a73a08c08b5f221bab57

SHA512
ecd0c9c040fa1551e0d9ef63cdf324b3f2f4658bd43d90536879a415ab84011a6c35eaaa9c5db72a7060cda017e5c4b53f02ad3985432122439d35f671912bb8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
1cc46743c215376cb42b13253b712812

SHA1
74e1286e074dbb5656235ac4a1abc64be1cf2030

SHA256
df9f814a4c68125ab04e95f63989aef3e10ba422c6c82fa41c4d5fe69a26c931

SHA512
5af67a7246d395343cf8522f38a2b624f0ccbaf23c7def7c5dfb1b4f94f931a0a61d26a0368aa7f36de308721b62c63ab2901c7e9151a04c4e21ddc1a4943de8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
5ee51a27fc7981f45fa11a1b79c8bbf0

SHA1
4357421a4df3150e679394a5700599700921d699

SHA256
0459a97660365c535897171981416fd61209c76d5ec6487cd8735194757d98b8

SHA512
e72d7be0869ac7c001e0432f00a0adbdc6076a2a8575c77e12c3d2eaf0a6fcf635225f5241047c9088de0daf06b3106e7d15c5234616db14331a6526906832ec

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
224d054b3ef5e856a54134b91b5c4743

SHA1
d450e86e1b08eeb3d9abe7e871103f1c600825af

SHA256
28368200d452e1b5ac6a3ddb6319fbb6a0723c39df8ac97fd22c19436485ec55

SHA512
7a4a4d28566f597560cc227c439627e4af7acefbf2364504fa5c1a3d238c17305f772ef5d246b5ab625e962c2ddeb83d2503b43af16ac40530fb5b31d42ca3ce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
843c200070eb265d7a6fd6cde2065dba

SHA1
cb1afe2faf22d39ef7d7f5d21cf14f275d02959c

SHA256
0a45845dc85d81aa725080af72652237609504006d79336ccd31ebded0d87637

SHA512
c59d20ed3ca215f0a7a91a6d27f815b410cb584d834868e31943a327f7022e57d8657a3276bd006d01f1b654be64e91cbaf3591577b4054d26dd72feac94b8d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
524976cdf4bb96073981915f5063698b

SHA1
ff0feaebbb0377ef73164ba21a2309780024ff72

SHA256
f8d5a1fbf54470c50abb82608b409042b892bf41f8697a9d69584b8eed1eea7b

SHA512
d092ee715b966235f3dd9213381d218ef322a972cd8db330cf6d34da582759ac804aae1998723b3b0dc6eca748af04cc1559084aefa2a64c4610b748681d188c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
08a6480fc3049ab30472acb35aa5b2d0

SHA1
c2a20edf52a891e1208bfe596047a631bfaae43f

SHA256
f9c6ec033469ed66c6df22d76194d7a1bcaf3a7b37c95d3149371e1281858dea

SHA512
486262465461f9c89e55de0a19309b2de8ac36903ced58b4171ce8cdbbf8266a5b11788cfa3cd0de7babab425545bdaeb9b3809318908b406a416b9ff06cf733

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
c7a5cdfa3365e633c112d22a12b79d06

SHA1
0f4f76fbf90d0051832111aa724202c04731886f

SHA256
2a742b1ab982cd45295c1b5f35b161c9d10ed88c16f9cbf4eae85f2fb246952e

SHA512
57dc89ba3d37b0d349e219a77150c7234b36450a8888c5b48d40cd46c05b787a1f8bb64919f13407708f3513399e6f14fa4916c6e83a367db6e685c686a1f392

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
1103f0a381f5bcb8b6b5c4fef103c21e

SHA1
381f08d2772831a7ab0976b099a2856d05b52813

SHA256
f013c01e3d9c9cedecc9c3f501c7836900875b5b721f4a0a42107e82f5624e56

SHA512
f2efa7af81eff71a48551b2d62b7a7838166630ddaaac58f51613f82aea0cfa3cb480ba50efd97c9167308a0ee49d20a4021431f99480d95fb9ecbe91dbe6033

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
7f24b0e6b69e5b72f7eea2bf11c5102e

SHA1
9e30edddfa8b0b9433918ce36d6193a75eb7b734

SHA256
983f4a9d9af964f233d0b37f49e45f2c7a591ba3d4240cef0501e8d19db23141

SHA512
36f6c1680c0fa57ad17d460d4fecdbedd55b9325dd0a86b96c5322e5fcfc55f1525b339b91b01d9ac86f1b2af19e968261d1a32f4ac55d553a00010c912f4936

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
b16a6638867fa71e550d82b3b87d8541

SHA1
7f854f1e9fe1f5b7f9f78d1be8f0441ed787dadb

SHA256
9056d2323661e248623aa37d883ff38be07c65bb43afd2bc1b8af0f64785d9de

SHA512
74f1d0b8e31fd1902aee968f4fa939b3c6cbdf8bc6f4a55d70d131ef39932a5765c390d2959c1625eb7601aba5ca8ff0e6cfe2e546280e396399c23c2132fd34

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
f7e2f640c26039dd643593eed9ffe69b

SHA1
735c0b0f732d34d731280be9ea3d23ffffca5b52

SHA256
3de384d63e2398a8dc94ef218c4f6a0cd691791cb94866913fa13f8f7847b428

SHA512
bc2f022a21c16cf02c3c2ce2c011bed142b1748199c210ec24d7bb4f491a525135e9feaed88a25c03564e32ed6631e24df373b2ac175d129b7de22aa6ce5ff67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
d24f35474c1e7ae3928dedb272ac70d2

SHA1
d0b31cca0a5ca4551c879066a478fe1d647a3e73

SHA256
fa934ebb444cde1abac14d8f44c3a790d7e8b359185ed9b426263f26bbeba006

SHA512
19984bc59a70f4af3c83470beb30537eb4f963d2af0178dd9185fd6a262ca6f6a152adc8ada7b5d0c29398cf0598eea619ee965613748d4ff545fe99ba40e478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
5b5c8906a74b0df16686b65ca990aeba

SHA1
cbeb0fdb4ebe022fc2756a56bc3375d329895dde

SHA256
a9a202690ca2ea37bd8ed9c6890213f15f0d23790af8f1bda4c7eaf6b3eb2b17

SHA512
a8ed6df197cbaab2fded5faea15bc59389e7c93e1a8d0d0e9ea92abdfaffa3fe77f3fa6065f0750f115481821c22bdfeccba2a3789bccc8b4282a0016e4f1c7a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
e58e18ab85896016cc7d80675d424ae3

SHA1
a4df09d234160198c8f3d3204d6b41c6189fbf09

SHA256
d70af4c971e5930a8f8323a89c427d38ca0a48b468ff1fb0b22006e79bd6e38c

SHA512
bf5cb1709f29b0f17ed67500b47ec4a4f6263f9217f4a5c5f334bd988118d2936a0ccbacafdd650e4300e165366e39df89bf174adb22e7a11c8cc4ac423fe39e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
320B

MD5
9d9a7ec512dfa1daa359488bbcd8dfa3

SHA1
6cd8775e6d02d8552ef8df65890fb4ac8e733464

SHA256
56a97e2523e2144d97c95024796b7011e046f1e11587b54db4d490a2ddea3164

SHA512
da7d0bcc8c89ac9e4cb810760ac78cc9998365a505db0bff92c99f464a229942260a30acb99c66ccd63450edf4e29eaed7293183b1ae8e0dfc3bd4a3302753dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
19c291d8d6083c3b3db276f7f62bd882

SHA1
093f563b626fb69ad59cdde20480417f5d19be7d

SHA256
e12d097334fe8e1f4f4104df1cacc25bd361c52a6076bb3d670d1ad83cfdc63e

SHA512
57c4a18db00d90460cb787cd217c79c014a0001a272defd7d69964aa29ca5bc074234e1bc391beafba9613d6b3e79e975582a0b72b7efdb8f4e80e65f941dbb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
9e6e98e86da8ac3fc4c2ec1442c387b7

SHA1
b1676023305a92472da0ef6559ae31b529387099

SHA256
5e47a9cbf8c495a8556b6781a9dfac74d5b83cd15df54f4309ec91ed5e03bfde

SHA512
bc44567e6219d32d42dbb02a30e591bc32117c47181db986199e9d41b57a1a04b871c6f946ccb20f05999efcaecde3d26a374570263b288f7507d964c3791710

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
960B

MD5
2954abc1fb2aa30e16744f9c50d3e84d

SHA1
0cb8b47b6f39508cbf86a7113af4dcf7351eae20

SHA256
a20a3709cb2b470772f48e73ef5e0430755a4b101130358098d3ee201254171b

SHA512
cb66b9e0b6e3535b41a4246a57798632db57ecf7a60a2d1e89a26b6cefc8f7b847259945df54e10a013b3d63894bb6985a281206c5bebd3a750b9b24dc873b5a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
128B

MD5
ed5b80a1b24285b18e057a1959ad826f

SHA1
0740eb72b6b08fc470d8776bc94e6f1e73bc5853

SHA256
1d5b347f152b586f3fcdf2019477f4280f04f93847d6ab9f84618ceeb00efd51

SHA512
b0fc1e77ec483b2ef46f6e237602f4494306bc1c8a25eea2789d84f81aec1ea1bc64e540a6ac4d39a471e2750fd2e0141385955da030c48072f77ef4d3b2b4c2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
eb49e15d50e753ee4dd53763dfc28566

SHA1
76a2b3623af0dbf67439cb8d221e40e7e6887428

SHA256
80e3a69759bd81d231c8705f00ac5556c6ade95547ea441c9e3490f4fbfcdcce

SHA512
e26e05e61839c5ade1d9e4a89f9f786f77bdb8251a6a2de2edfadcac241292c164b3164f18670e93d2117e42a6bc28c5b628cbdfd403d8ec007e6bac418b9155

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
92b58aee98057111d45f80f58c912c5c

SHA1
fe3753c9cfd2e11bc3c58c8fccede3711fac0897

SHA256
cbc044c383e066f1e33240a79b9be39b6e210a886e6451dab066ef219e4ad45f

SHA512
8714f10581739cc5db459c470e24bf2a5823c80473914a35b6c5432540440aa62a331529e7f342ec9c2b5205b813a47e10dfcab69e98a855aacc4b3451bae54d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
64B

MD5
e65da676153a3b7f941efa5ca70a4067

SHA1
abd50fc9e28a50986d7e742a0727b677b5a04a4b

SHA256
ee26038a4ccf78007a9c2c2c7fb4258b8a074702cbb6011fd8546e6adfe8312a

SHA512
94a34eda4015e1fbe669faf691645b1c2a22bcfa0205f62ac725b5307bdaba17686238f8f45fe107a3402d986db46d88e2cae5ad087f6b219ac28988d7557c06

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
928B

MD5
3b4afc017dc0be00f86181e1d231313a

SHA1
c6beecf8989dc393f144b12578082334f2e240b5

SHA256
ea5a082240c5cd1185c563949ee476848403652b7fd7c1d766bd5902ea782669

SHA512
a072269151c7b7ba56c38e106f23ef36f8fe089d643ff2040872297b980277b8a657c74add661b99c21133ca9948d2a486c311f58bea83143c093974bc369871

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
96B

MD5
43baddac9f0d23e71ce3721bfb24d1f2

SHA1
293f1ea159741324b7b36f53a1c27f5197a36049

SHA256
d19ef7460782952270242a932ea9c7dae8a55d7140e90d9e2416e7e8e7cd08e3

SHA512
7360db58eb11570b5d498d6dd039462ffe66b4e98f45577da7969c2743b07c34c5c1b41633219394521d20423d14533d10662e3bcac5d17ab2bdc58bdbeabbc9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
96B

MD5
3788c70f42733059cc9a4b33dcb0ec81

SHA1
cfcb7004fd53d694f132ee8163aa4db849975fa1

SHA256
eabdb8920cc052d53bd49ae7453b0cb8bd86aef2dad3e6adf89ef8be952ea898

SHA512
07eebc8fb7cbed6ba5ae14d0e722d10f44300752c2b650af812c999f7203122f072431a4a7ac5a6bccd3c79fa6df0e6aa2e3517faead120d738df6d6effbdd45

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
336B

MD5
91d3ef0a8105d990557da77b0312c7d8

SHA1
dda84f86e3622381e84841f98ffa69dec91b5459

SHA256
97c59fda491949401f65aae128b3e6e6a9ae7b7025d983a6ba586269890abc76

SHA512
a0e009fe8b930cda16167b5b9fa9f29eeffd44b15ef0af08f4b5f967d719319103cf942cda5471a85dedbca3a7b2513785f2c2b668d51128639fa2bcbba8d09f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
8f55e286c4f6d941af439e0e30b859eb

SHA1
ab1616109187e6890a17498d41527c60d72fe13a

SHA256
c8d2ee25a94327c3ae89e405cc2b0f12923df790f91dcd0bb6064e2e37dd1a4d

SHA512
845ac5760c5050dfa3de8bab0302ff3dc64b89c1d3cb4631665c370105bd36013426dbecf70424c874bf5cd0be81cbc649bd183108b76866998b728a0d57281b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
176B

MD5
c3884ab6b40aee9b82b315f2897f89ec

SHA1
4da9cd027a92b67f914cc2712b75b06dffe5f5d3

SHA256
661af66f4562b3fe8a7c5423ed12a8d767d1943ada6b866020905312e9ad3d92

SHA512
78e5b5e3c4519b7a3ceccc31c53c544efc6837234d63332fb768370183ff526a416018daccb4866dbf5d1b119a3c7040513e88c828fc2d4728654ea3e5efd172

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
592B

MD5
7764f50b97bd2ca1fe7225c7b3ef65cb

SHA1
5c7a551cd8af54d5133601b8a1ee389f9b5af2c6

SHA256
e1f8a829c7e09cd6f5bc99e7b0ed03b49d239d6fad3c8f4fbf26e1f422841423

SHA512
110cc6df8a130000527cf1e8a1f5b535f23d4e65650ebe51736b3f22fdd0d91fbe85be8566decd97e8cecd2a2b5a27acd564532c864c11e90a79df876424b153

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
128B

MD5
a8a3f5741afa1d0297a90b4392c14e08

SHA1
25e7e9d3a250dd4f8611b627e4486cd8e0ec2d9d

SHA256
bbea3430baf53e8de79e61d18f31d12d3861a9ca8dff3cf6a7e04a6d445035d9

SHA512
ec46610998ee9e5f547fb0f269d18c45f3eafabfd537f7428cbfb6d21bfcde6ca3e68aa0d3e40dfff22f98d9551d2f464646c3dc9c4379e1ac3129e3a231c7e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
6f794664236069c186cfe00479182886

SHA1
b18ecea103ed5b92c11b1bd83b0be259887d3720

SHA256
ccdbb021b7acb2c3d8a7dadbec0800b0abdaa792c0e80f2edae63addca4e095f

SHA512
c58c641708c6b53b584370ec7d17cb119a877f8ab2acc3e3e652bca357d31e6b21f6807f3586d7e192b177297492c1cfefad6fb416dd720b885528ee92a84d84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif.fantom

Filesize
896B

MD5
996f7bc333c7455bd0c2c10388fe96ac

SHA1
e580259420e85576766eff6bb395dfa5967aead8

SHA256
7a514dfa422e2aa57f622160cecb18718ee16f6a803a1ed3cecb218055e6049e

SHA512
8f9daf0215e8b6d96cae16caee0ece1067e11dca0892a433a61425f319f09bd2d75c7059be034565140148110f99f062066fbe8fdadad870cd85b7250ef68e50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
7c779ca598dae00506b973ff710b2f1c

SHA1
f8c17628d365e882d29f9a57748e10879ddb8e8e

SHA256
81da11ae8b3434dd21ff3bbe0797bcd15523fc5f468be7801549c1f5fb123b2a

SHA512
88bc0052edd646c6a3989c04a98e7d18ba4b3463f2d126e70166a2c993210721a5513c05fe0b306ff9ff8b3516f53d9e06219a4e6aef7cd54f61553b61b2c791

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
1b5331bd1f8546ce87625440e7136011

SHA1
593f9e4f86fa5d38a7a3ba6bef37d80b89769949

SHA256
2b77a99eeb38a2eeea74598a81acc333514aeddfb71b254d92b68422723157be

SHA512
6323c6f18346806646f4a7223c16d2d1282626c65bd0c53c6a58990713ca51b897afe88766cd3cd27b01b2614f743c317755c224922a0e2a99ed16af790a2c2e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ProviderList.ascx

Filesize
9KB

MD5
43bf128526e3b32463532b491347c4e5

SHA1
b2606c2a270a4e251ac8db597a73fe9efd6e4a1d

SHA256
dccea7cdf2b3d6c93fc5582482763411860740413d02735cacc3967ded3b9a55

SHA512
983d73ee15fdcba0877012de3a0f30b648e455bdbac3f96e62e6090f98cd7b9ed3ed1b16d16ea816b7ada461d9d70acfbd3738c332ff351f576197bda208da21

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
9a0fd9d5abc3fbd0a1b9cea3d0bb267f

SHA1
41d7e39b2e9c8100fd00b6c4b4b979dd7206c719

SHA256
11635820b7b4650877c6de9a2508d149f29136aa2ec38fa4237208d9b7ea269e

SHA512
7d2a624a62e1ec69b301abe4d7b6d20b0f74ccd862b33d2825f29e1ac74311ddb3bcd1d2cd43027bcd7f9de91becb6e553ba1ef785728a3a0c169a7af229d2f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
5a078b22dceef2ca07937f5a73d8d90b

SHA1
053fb15b2813e658fa0b25355961dea0bb4ded69

SHA256
1fc9826a689fdd4605fa71e03a73bf5156578dd8dffcbcfc47632d6bae390982

SHA512
913090fbbd0d74eb64fe7e657040f3c56e481a12f46d757f10ab060e09eee5f79d87c66295b0ff84a7d6508df86e7201bf39ce4a130bcaadaffc5ab18e583b98

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
cbdad401390276b62bd80aee05302086

SHA1
3a2c9b3d20057bb4a20cadceafd72d30ed697d16

SHA256
21b41e4f31e65a995104f3744b0a5552fa19fe18218ff295eb9d0d8afa0c0e08

SHA512
5ed97adf1c15ccf5cdb62076d3b80fb2cc669c65f1b54e4e8d4dc821e53e219e6f246615caa8c36729bcc572bc00af8b23b3e60850d01fda5022e305a3b7106b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
e77e66e411ddcc49ff6d75ef94ed89c8

SHA1
0530ff22f129cf7bac7a4264af4ba54cbbf0434c

SHA256
b8888b6fbf8093d6770efd47ba25a47665afb4a75c0a952f203b7c3ad0d3d6c5

SHA512
ab7e9270c633dcdc8696c8b4eb976ed2a15015482c60468ddfc9853500a1107d1bd5a3d8cf77336668ce1ef2c91d5e46a9053ace16fe331b226e6514ffe88cff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
e819696ec0540366ceb7a8961e148796

SHA1
fff8411c9535aff6ec2d81feb4e9a7599cd2cf03

SHA256
3b556d3c210bd298dfbda20e14df2ebe46a4688892ffb12950979377036b73de

SHA512
c7d7fb8e2d379b8658ad01ef00b9985b549ae90ee2d8ca623136c2289f57f9bdecd3648ae00f82586d3b7d3ccb90a127860fd9d5769e45276a0ebe0c84d6443b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx

Filesize
2KB

MD5
249c419902e8d80ad53c90dccb4e91ee

SHA1
0a7e769d28e4f7e741245be3080003b380ec70ac

SHA256
19a30e3b1fbe3e3ec50614b077b14eb0a4e165f84eb7076df2cad732ad246e0d

SHA512
f7d5090b816b492c784dd3da3072ec3921615480c006903d3d2e9f37887b66c7f8fc65071bbf0b9c4f90c32cc31eece1f7951ae8f2fc9058977011e42160298c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardCreateRoles.ascx

Filesize
7KB

MD5
68966e73d30331f6ba78eb50765680cc

SHA1
6b1749672b35dcae251c14306398e8abef2d6a48

SHA256
9b399e360fdec87d0bf33687afe86cc96e5d4f2fc11b965af65229badd3c3b8f

SHA512
8326412298e08dcfcc5934230f829b04b4741e773304dca991bfa16045e7216aad6c863e20d5968421576d610d7e0a5fa8d7502a4bca371eec4da932bbd469d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx

Filesize
272B

MD5
9df7fa326378050eb6c983bdedb2d6cc

SHA1
2f73775531b7cda1fd9b8ed30f7f9329f352adc3

SHA256
ba923cc3f39c2fe7120d9612e35c5b33ffe81564288218f83cab64edbfe5a2b9

SHA512
0474de92870fb64e5568d3e83707b6580e6bacf078ef72010ad7333c6b1891d4dd808c4ea8b5e133a25f89cad0bed5653981e1cd2562a438d66a6f793b705933

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx

Filesize
496B

MD5
935c67a20aec3eed4f7aed11bcf2d426

SHA1
808239c26d8d0c194d96fa9a38505a9e415fdb79

SHA256
1246374e9b3a220752f6de585c007d335106e15ecfe6f1021026d4032dec5997

SHA512
cf5869e3f422156c06dda39578692980504a23a0175f0e57e936b5242cc14e07fec5bca3a06c4c9b6c6cf09066678bfad35fd03441e18e74d79000106c9a89dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx

Filesize
24KB

MD5
77d72e35dfb20dd42ca0f9e60d77d67d

SHA1
50d35089d1e018675877295385bc9e2f16ee0bd0

SHA256
aa588da60fe390807e4998587133a4afc0e7611a75aee0e96e435f4ec1f6ab5e

SHA512
a6220adf3e0d11454a7869b445f7dd336a8bf4a69a78e1c6abf74a5156d1a894d087d802e6eea8f1aee22d081ae3d89a386e2813cafc7f9c63fed6900b79d45d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx

Filesize
1KB

MD5
3b8ffda3bd5228b7e6e4fc4cf9b4815a

SHA1
bba780e476aa56ea4bedda5cc79bab405d153fa3

SHA256
cdec926d39c000c90986a757fe91aa4a0ebe55084c91f54cc53117f69c9e826d

SHA512
3a8bf1106bb3e7f5820d69bca97766b316b378dc43585b0da80f9d6f4b8b5f1ae4d36f2cce711043487889e4d1643005a543dd0a48b1e85962238b7b47d65322

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
beac5ffea45bc461bbbdd92bd1546895

SHA1
fde4ffa3f084138020550a5083ba763987361bca

SHA256
e9e1acfb53bc7cdc63b0c3c30878cd67b88680e2f4296d89692f346e35d16b66

SHA512
2ee5ef8755e4bc0c1dff13fb2eee6cdf8afc93728b0da54bdf22df8da7af68649ae6b389e716cace9f8069a1876f23bd95e40ebcac4eba20759a3dbc6c9579ca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
516a99da8f2db093992f9331e600fec4

SHA1
8314b4cc885812304d41d01d37e70b9d775ceeda

SHA256
6a9d305a70b15589aecc71d488bfc158e58c7c8ab8970c6d66005676ac31e62d

SHA512
6c8298d5700cfef3b251c1c64054ee4bcfefd65635cc38d213a5bdea046e393d96cf2f00c93ed8f1ab0ab9ec23e19802b1f66608e4e735d97eee1f13b7165a93

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
cbdb665890446d9bd0f5c0a537b6574b

SHA1
df6d079896e8b070bc6eada7cd9c0c4b34156a90

SHA256
1bbf6084761e437c70a58a1067829a76f8dd44ba4fdd6a517997a05c4af4ea3b

SHA512
0c8cb3315a390f85c904fd0d9c949a5f133dece1d30aa0a516a48dcd8eb13a602a4fa973f6ef5aea3c9a7d3d806b6016a11405f8edc9a8fff7599af7aa21c741

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
2fb243fe1d1c77aca1e2f975e9f9cf90

SHA1
45248be98a86d210c81b6d29acecc695b56bca14

SHA256
c860edbd1b8ce082c5e3223b574f46f29caf3f9f21dce53c176d1c0b25331a84

SHA512
1ca2cdcfb2dd25bed3d17117d88168682cb34ce2856c9b7c9185631fd9675fa94e8f665b69a7570815d9db70e14e38a54245a2ed9009a00cfca411cd747d3e18

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
c18f29eb183213e938bacdcf6ff490ce

SHA1
1d70a0d440d575ce6f3d3dbef1d02464f7a974f5

SHA256
247da66bb36f606d93655dc1ba7f1740353bc9aa523b72d378dfa3bc88d1f35f

SHA512
e907aa611e07c364e410f3afc34891b25d4f822841d1cc7d18f5d7ce5662987986fd7042a381e11e617c69f92e26d80f7749f37b798067d5c4241927469dc139

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
e22ede83bc0e1d8dc43fe0dd0685f4de

SHA1
9d9813e14a0f7c036564731dcd48ee06dc767c46

SHA256
c969df3fa5f0100f91029ec8e75754fe37a739ab9a8864d3da037b5b098bcc46

SHA512
c9b37af29a768a690c717aa810b1fc1f65bfab83b7c7f0db8341615a0b1256ad488b8c860d29c88717c4824e8f5d6fb1eb8ce263adb44c809431766029b91eb2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
442c9df1d0b83dd78315f8c0b651e69e

SHA1
cbcc9b6998d79db4dc8fc9220008c03900f18080

SHA256
b41ec0ca5f4fcb1e58bec7f8cdd6956fdf71772e157d5168f29cb0ad55ee3f77

SHA512
280770135aa629236e79e574820390ffbe7aaf34e0b39c6342e742702688e7dd9bdb252ab1f005d9055c7a0d4ffd9f6a8feabc1ec3f6dfbe98ff6c7a24baefb2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
e98d7289cf7d50e59e2be62943442f63

SHA1
e5b3df3d96d1fcc467abd9e31befb708ec2dde4c

SHA256
bcb5d9f1bf6ce906a9f3d7dd8e3bbfe54c4b07c93fc1b1181f121919e307e42f

SHA512
56e86f8b0277839271e4accf1ba74856c5cfbcb6061c321d8fd0b8c115520e65b7b03f775942bd5aa3ca1bbdf6c743a7fc8d80b7c21c89b22718c4dd34cc83ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\navigationBar.ascx

Filesize
8KB

MD5
98023a31d20d87b6b06d62eab127482a

SHA1
bf33a35868fcc92d3dbeb12cee52b0154e674eb6

SHA256
e753821db5d62154b41ccb51ccdbaa2ce528eaf5d012ff2167bacbe15deccc2b

SHA512
9c7cb276c704018bae780a1cb6ad50fab40c347fae8f7789b788a2d8dbe37c25e227f57a86255cb16df3b846f21119b750338b9efbe996e1022ce15b26b869c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
2fc7af588175773c0df893e5c32004a5

SHA1
f9d120dfbd2260dcc74a17e61e994c5320b65932

SHA256
01d01229972e09a95f9daef30b206b44bc829f49856f1e9e0ffc309debcd2df7

SHA512
656d25f012d03990054664e026113764693a7d0b9c24716111e9fa069fa5400d8c328ce53fe67ca3b658edfec4df9d56a7a63ac0b24906f7893f9482c32a30b3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
22bae3f552d15a7f21647f1a2268acb6

SHA1
cfb6fd487171d8ee58e0f05426b058955031be2b

SHA256
58cda15e74a2305780c5c0c8cc755e76da824f97dacc7e6587427479ce9e43bc

SHA512
263439e6a10d908ae1a02d74556fdedb247d21dce92a50b7c3799809b863f7b8a3a12355b58743b9b28eabe11fc50c0a84a52c0ddc7ed604b6f035e002f8c9f9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
32d30412a982f533e1e301acfb10891e

SHA1
4441fa056f810eacdf1256848c39bcbe7f272026

SHA256
ca6808a7eb4f6c0bf21004cf735b316eda7d98cb9818d7f8ae9b773979bff5aa

SHA512
d94b3acd552d28b3af7f1593554425db013d50ec46b3c5d88232a7a80d5e1e054af797f4cfade6f51b0498bcc438f9434311b0f9f819647f93effa9e69f73c18

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
e22b8371d2157db28e5a58b0664c977a

SHA1
7b302f4507332a269f514347fac77fe035f7ef59

SHA256
df058a23abbe63ed25208395ad855b1071dfd4ef648badd1e2840a76bf3c2c76

SHA512
0ae481393f023cb51aa4fb1c53f3befbce24912bbc76232631e4cf0ff31b635c00ea4573a1eaf655a9032821617ec90a6b21afb8458328d65ce3df2a8865199d

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
98b0d71f640e6741ec2a4f98ef5c6b1d

SHA1
9abf5b15c4ec11e934d7c04f8ad2e061313a90a3

SHA256
a6aa608430058c35f06a6bd950927e1fffebd85a41805eedc670395c1d666804

SHA512
4605e1ebb410502ad1869bfd1a83ce75691fb138f31c1890f4a6abedc953af0086e7eb127a9e11921ea9ebe85d346b7b6101ed4b8fe1a92f11ff686f2e01206a

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
e52b1ff9f32bfad0705297d56dd583a3

SHA1
ed044ab8b04d976e7445c8bfa414cbae78dfaa92

SHA256
83fcfcd9e5afd782a54a5bb9284c2b146f8c1d0c0537f8d15dcd6111152db6d8

SHA512
5c439229509680ac69b48b1dc2e33e5998e021d9bc0f8bea9925a34bf3bc6ede95c0f7cef39d00220835a4f95eddd8d35296861c50bedee9adaf3e523fc8b77c

Download Submit
\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
\Windows\Installer\MSIA39F.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
\Windows\Installer\MSIA676.tmp

Filesize
312KB

MD5
aa82345a8f360804ea1d8d935f0377aa

SHA1
c09cf3b1666d9192fa524c801bb2e3542c0840e2

SHA256
9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

SHA512
c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

Download Submit
memory/428-1387-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/872-949-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/888-952-0x000000001D5F0000-0x000000001D940000-memory.dmp

Filesize
3.3MB

Download
memory/888-1-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/888-30-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/888-31-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/888-32-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/888-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/888-940-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/924-56-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/996-944-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/1040-52-0x00000000000A0000-0x00000000000B6000-memory.dmp

Filesize
88KB

Download
memory/1204-955-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/1352-54-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/1552-947-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1560-48-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1696-39-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/1712-46-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1892-8724-0x00000000013D0000-0x00000000013E6000-memory.dmp

Filesize
88KB

Download
memory/2028-1382-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/2136-951-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/2276-58-0x00000000001A0000-0x00000000001B6000-memory.dmp

Filesize
88KB

Download
memory/2344-36-0x00000000011D0000-0x00000000011E6000-memory.dmp

Filesize
88KB

Download
memory/2480-15131-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/2556-7-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2556-507-0x0000000001060000-0x0000000001076000-memory.dmp

Filesize
88KB

Download
memory/2556-6-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2556-8-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2620-1251-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/2636-1307-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1291-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1315-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1266-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1263-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1311-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1309-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1305-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1256-0x00000000004C0000-0x00000000004F2000-memory.dmp

Filesize
200KB

Download
memory/2636-1257-0x0000000001DF0000-0x0000000001E22000-memory.dmp

Filesize
200KB

Download
memory/2636-1273-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1277-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1319-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1321-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1383-0x0000000004E10000-0x0000000004E1E000-memory.dmp

Filesize
56KB

Download
memory/2636-1267-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1285-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1259-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1317-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1261-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1313-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1303-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1258-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1269-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1271-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1275-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1279-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1281-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1283-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1287-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1289-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1301-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1293-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1295-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1297-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2636-1299-0x0000000001DF0000-0x0000000001E1B000-memory.dmp

Filesize
172KB

Download
memory/2856-15-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2856-14-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2952-957-0x0000000000D80000-0x0000000000D96000-memory.dmp

Filesize
88KB

Download
memory/2968-942-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/2996-50-0x0000000000DF0000-0x0000000000E06000-memory.dmp

Filesize
88KB

Download
memory/3012-1249-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/3024-42-0x0000000001360000-0x0000000001376000-memory.dmp

Filesize
88KB

Download